What is Content-Security-Policy (CSP) and why do I need it?

Content-Security-Policy is an HTTP response header that tells browsers which sources are allowed to load scripts, styles, images, and other resources on your page. A properly configured CSP is the most effective defence against Cross-Site Scripting (XSS) attacks. Without it, injected scripts can execute freely in your visitors' browsers.

What does HSTS do and should I enable it?

HTTP Strict Transport Security (HSTS) instructs browsers to always connect to your site over HTTPS, even if the user types http://. This prevents SSL-stripping attacks and protocol downgrade attacks. You should enable it on any site that has a valid TLS certificate. Start with a short max-age (e.g. 300 seconds) and increase to 31536000 (1 year) once confirmed working.

What is Permissions-Policy and which features should I disable?

Permissions-Policy (formerly Feature-Policy) controls which browser APIs your page and embedded iframes can access — camera, microphone, geolocation, payment, and more. As a rule, disable any feature your site does not actively use. This limits the blast radius if a third-party script is compromised.

How do I test if my security headers are working?

After deploying your headers, run a free scan on WebAudit (webaudit.in). It checks all major security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy — and gives you a security grade with specific fix recommendations for anything missing or misconfigured.

CSP Generator & Security Header Tools — Free Online

max-age — How long browsers enforce HTTPS

1 year (31536000 seconds) — recommended

31536000

Options

includeSubDomains

Apply HSTS to all subdomains

preload

Submit to browser preload list

Preload Requirements

To join the HSTS preload list:
max-age must be ≥ 31536000 (1 year), includeSubDomains must be set, and preload must be present. Submit at hstspreload.org.

Toggle each browser feature on or off. Off = blocked () means your site and any iframes cannot use this API. Self = your origin only.

Hardware Access

Sensors & Location

Media & Display

Payment & Identity

Best practice: Block everything you don't use. If your site never needs the camera or microphone, setting them to () means a compromised third-party script can't silently activate them.

Paste an existing Content-Security-Policy header value below to check for misconfigurations, dangerous directives, and missing protections.

Security Header Generators & CSP Validator